CADA vs NIS2

Summary Data centre operators face a dual regulatory landscape under the proposed Cloud and AI Development Act (CADA). While the existing NIS2 Directive (Directive (EU) 2022/2555) mandates technical cybersecurity risk management for essential entities, CADA introduces a distinct framework focused on technological sovereignty, data localisation, and accelerated infrastructure deployment. Operators cannot rely on NIS2 compliance to satisfy CADA's sovereignty criteria, nor does CADA replace NIS2. As defined in Article 2(1), CADA adopts the NIS2 definition of "cloud computing service," ensuring scope alignment, but the obligations diverge: NIS2 asks if the infrastructure is secure, while CADA asks if it is sovereign and strategically located.

Detail

The interaction between the proposed Cloud and AI Development Act (CADA) and the NIS2 Directive creates a complementary, two-layer regulatory environment. To navigate this, operators must distinguish between the security mandate of NIS2 and the sovereignty and capacity mandate of CADA.

NIS2: The Cybersecurity Baseline

The NIS2 Directive applies to entities providing data centre services, classifying them as "essential" or "important" entities based on their size and criticality. Under NIS2, these operators must implement strict cybersecurity risk management measures. These include:

• Technical and organisational measures to manage risks to network and information systems.
• Incident handling and business continuity planning.
• Supply chain security assessments.

The CADA explanatory memorandum explicitly acknowledges this existing framework, noting that NIS2 "improves the cybersecurity risk management of cloud computing service providers and data centres in the EU, resulting in greater trust." However, it clarifies a critical limitation: NIS2 "does not contain measures to boost the uptake and use of such services and is fully focused on technical cybersecurity as opposed to broader sovereignty considerations." Consequently, NIS2 remains the primary legal instrument for technical cybersecurity compliance, but it does not address geopolitical risks or infrastructure sovereignty.

CADA: Sovereignty, Capacity, and Acceleration

CADA does not amend or repeal NIS2. Instead, it introduces a separate set of obligations focused on technological sovereignty, data localisation, and accelerated infrastructure deployment. For data centre operators, CADA introduces two primary operational shifts that sit alongside NIS2 duties:

1. Data Centre Acceleration Zones: Under Article 10, Member States must designate "data centre acceleration zones" where data centre capacity is being deployed. Operators deploying in these zones benefit from streamlined permitting processes, including a maximum 12-month permit-granting procedure under Article 13. However, this speed comes with stricter sustainability mandates. Article 11 requires that sustainability requirements in these zones align with the key performance indicators (KPIs) defined in Delegated Regulation (EU) 2024/1364.
2. Union Assurance Levels: CADA establishes a "Union cloud computing sovereignty framework" comprising four assurance levels (Levels 1–4) under Article 16. While NIS2 focuses on preventing cyberattacks, CADA's assurance levels focus on preventing third-country interference, ensuring data remains exclusively within the Union, and guaranteeing operational autonomy. Annex II details the cumulative criteria for each level, covering data localisation, personnel citizenship, and software supply chain transparency.

The Intersection: Where Regimes Overlap

For a data centre operator, the practical implication is a bifurcated compliance strategy. You must maintain NIS2-compliant cybersecurity controls while simultaneously demonstrating compliance with CADA's sovereignty criteria if you wish to serve public sector clients or operate in acceleration zones.

CADA's definition of "cloud computing service" in Article 2(1) explicitly references the definition in Article 6, point (30) of Directive (EU) 2022/2555 (NIS2). This definitional link ensures that the scope of entities regulated by CADA's sovereignty framework largely aligns with those already subject to NIS2 cybersecurity rules. However, the obligations diverge significantly:

• NIS2 asks: "Is your infrastructure secure from cyber threats?"
• CADA asks: "Is your infrastructure sovereign, sustainable, and strategically located?"

Furthermore, Article 29 of CADA requires Member States and Union entities to conduct risk assessments to determine which Union assurance level is appropriate for public sector activities. These assessments consider public order, national security, and the sensitivity of data. This creates a demand-side pull: public sector buyers will increasingly require data centre services that meet specific CADA assurance levels, forcing operators to structure their services to meet these tiers.

What this means for you

As a data centre operator or cloud service provider, you must prepare for a dual-track compliance strategy. Achieving NIS2 compliance does not grant automatic recognition under CADA's sovereignty framework, nor does CADA relieve you of NIS2 duties.

1. Separate Compliance Tracks

• Cybersecurity (NIS2): Continue to implement and document technical and organisational measures for cybersecurity risk management. This includes incident reporting, supply chain security, and resilience testing. This track is mandatory for your status as an essential or important entity under NIS2.
• Sovereignty & Deployment (CADA): If you deploy in designated acceleration zones, prepare for streamlined but stricter sustainability permitting. If you target public sector clients, you must align your service offerings with one of the four Union assurance levels. This may require structural changes, such as ensuring all data processing occurs exclusively within the Union (Annex II, Section 1.1(c)) or implementing rigorous software bill of materials (SBOM) controls (Annex II, Section 2.1(i)).

2. Strategic Positioning for Public Procurement

Public sector procurement under CADA will be tiered. Article 30 mandates that contracting authorities with activities contributing to the preservation of public order must only procure services recognised as offering Union assurance levels 2, 3, or 4. To compete for these contracts, you must undergo the recognition process outlined in Article 17, which involves submitting evidence to national competent authorities. For higher assurance levels, independent third-party audits (Article 20) are required. Start preparing your audit readiness now, focusing on data localisation proofs and supply chain transparency.

3. Operational Adjustments for Acceleration Zones

If you plan to expand capacity, monitor your Member State's designation of acceleration zones. While permitting is faster, the sustainability requirements are stricter. Ensure your energy usage, cooling systems, and waste heat recovery plans meet the key performance indicators referenced in Article 11 and Delegated Regulation (EU) 2024/1364. Note that these KPIs are not enumerated in CADA itself but are defined in the delegated regulation.

Common misconceptions

Misconception 1: "NIS2 compliance is enough for CADA sovereignty." False. NIS2 addresses technical cybersecurity (e.g., protecting against hackers). CADA addresses geopolitical sovereignty (e.g., preventing third-country governments from accessing data or disrupting service). A data centre can be technically secure under NIS2 but fail CADA's sovereignty criteria if it allows data to leave the Union or uses software with remote tampering risks from third-country vendors.

Misconception 2: "CADA replaces NIS2 for data centres." False. CADA explicitly complements NIS2. The explanatory memorandum states that CADA "needs to be read in conjunction with" other frameworks. NIS2 remains the primary law for cybersecurity risk management. CADA adds a layer of sovereignty and capacity-building rules. You must comply with both.

Misconception 3: "All data centre operators must achieve Union Assurance Level 4." False. The framework is risk-based. Article 30 sets a minimum baseline of Union Assurance Level 1 for all public sector procurement. Higher levels (2, 3, 4) are only required for activities identified as contributing to the preservation of public order (e.g., national security, defence, law enforcement) following a risk assessment under Article 29. Most general commercial services will likely only need Level 1, which involves a self-assessment and EU statement of conformity (Article 19).

Official sources

• Data Act (Regulation (EU) 2023/2854)

Related

• CADA and EHDS: What hospitals must know about sovereign cloud for health data
• CADA vs DORA: What banks must know about cloud procurement
• CADA for SaaS Providers: How NIS2, Data Act and Sovereignty Tiers Stack
• CADA for Cloud Providers: How it stacks with NIS2, DORA & the Data Act
• Why does CADA call the Data Act an 'enabler'?

This is general information about a draft EU regulation, not legal advice.